b0efd269d32e581da747e5050ef98d2eb91e6de9080e0918f5af85b485a4bdd1

Analysis

max time kernel
68s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npcap-1.72.exe
Size

1.1MB
MD5

cab256acf99dc6e0685c0567ea6ee658
SHA1

08aefa7d9a941ffe7d5c29d6b65d115109b5e2b7
SHA256

b0efd269d32e581da747e5050ef98d2eb91e6de9080e0918f5af85b485a4bdd1
SHA512

7f2147cd7d2e0e044e4e46c26df015decc4ae4c51d8500e91f1155cfe91e58c38d5f9a10710e6c70ba7ab590a4828e344ac32f28ecefaf9557429caac626af9b
SSDEEP

24576:uZHcNHqqSX6AQzHlPnK7N1F7nJRFoK7EjvEYwa2MVZcXxZzHN9zqn4:aTUHlPK7rFj3qK7a2MV43O

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1388	powershell.exe
4756	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETE942.tmp	NPFInstall.exe
File created	C:\Windows\system32\DRIVERS\SETE942.tmp	NPFInstall.exe
File opened for modification	C:\Windows\system32\DRIVERS\npcap.sys	NPFInstall.exe

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4CE89794FE2D2F7E30121F10BCF76AC3CCF77CA9\Blob = 0300000001000000140000004ce89794fe2d2f7e30121f10bcf76ac3ccf77ca92000000001000000c7050000308205c3308204aba003020102021009256314069e7e6a88cb823075c0d9c9300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3230303530313030303030305a170d3231303530373132303030305a3081d231133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a88cd713346c50a5cd2a62900419f091330f9820b73b38785a8b5a25ceda8e11b71b2d11ff4b0c18cad405a2a195a6462619fa3ddf6d14466a350d1cf1c6ad48cce166fe6011a62ee62751046dd264b1cc145c4a4354537cec1ae615b6b8566a28ddf3b510fee92023dbe4190b44bb4174f94c4ec62256bd4aa5ba541ee833388db8cc411365e094ee6314eaff59ca6659bb6388300e7ffbd0f8b299889b8e3ea526f8ca926ded79eac89a6b068757ae428022e2602ec98babf5998216b0c28a709129a1300872878d9971e3130826a7d1ce894fe649a017003f07ee3c53ca0cba998fab097e573723fbd3e0ea1b742dd6d076b4c2284b93500021a7d27109630203010001a38201f8308201f4301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604140a9c208099309acdddf9c9909a03890dcd30c8ea30350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010042368fc33025a2a1338cf35a08d00e263958f825e79b6d3af23e0e4e4cf59bc8502022d452cbba14a53274e3a12a5b01f4aee16abfcb1b28d63484a0ae1995c9759c6f0970254da8902fb479f5f7869a566aa285f2c28e50096dfd2e14a9ecf0000963c570d2338def108dfe66b1e44d22182826749871a7f3977eba4976910f1f0de866fc75b918c1a9f466fcf96ae90df932071b9c770f0f3193f8ca500abe52cc316549403a5ca5b5422d1ebffffc3cbe3b926de552f493b53c6570fdd0736550f080c2db204b03bc00ff724241581b5dfb0dff7b8f2cc28f136c19cca8bd4b3c3d81404e69f4598e7b5458e41c6f2e6622a212d28c2615565782a1f66987	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3\Blob = 03000000010000001400000060ee3fc53d4bdfd1697ae5beae1cab1c0f3ad4e32000000001000000c0060000308206bc308205a4a003020102021003f1b4e15f3a82f1149678b3d7d8475c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3132303431383132303030305a170d3237303431383132303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e672043412028534841322930820122300d06092a864886f70d01010105000382010f003082010a0282010100a753fa0fb2b513f164cf8480fcae8035d1b6d7c7a32cac1a2cacf184ac3a35123a9291ba57e4c4c9f32fa8483cb7d66edc9722ba517961af432f0db79bb44931ae44583ea4a196a7874f237ec36c652490553ea1ca237cc542e9c47a62459b7dde6374cb9e6325f8849a9aad454fae7d1fc813cb759bc9e1e18af80b0c98f4ca3ed045aa7a1ea558933634be2b2e2b315866b432109f9df052a1efe83ed376f2405adcfa6a3d1b4bad76b08c5cee36ba83ea30a84cdef10b2a584188ae0089ab03d11682202276eb5e54381262e1d27024dbed1f70d26409802de2b69dce1ff2bb21f36cdbd8b3197b8a509fefec360a5c9ab74ad308a03979fdddbf3d3a09250203010001a38203583082035430120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307f06082b0601050507010104733071302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304906082b06010505073002863d687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63727430818f0603551d1f0481873081843040a03ea03c863a687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c3040a03ea03c863a687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274486967684173737572616e63654556526f6f7443412e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0302308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e301d0603551d0e041604148fe87ef06d326a000523c770976a3a90ff6bead4301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d01010b0500038201010019334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3BA63A6E4841355772DEBEF9CDCF4D5AF353A297\Blob = 0300000001000000140000003ba63a6e4841355772debef9cdcf4d5af353a2972000000001000000350500003082053130820419a00302010202100aa125d6d6321b7e41e405da3697c215300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3136303130373132303030305a170d3331303130373132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd032ee4bcd8f7fdda9ba8299c539542857b6234ac40e07453351107dd0f97d4d687ee7b6a0f48db388e497bf63219098bf13bc57d3c3e17e08d66a140038f72e1e3beecca6f63259fe5f653fe09bebe34647061a557e0b277ec0a2f5a0e0de223f0eff7e95fbf3a3ba223e18ac11e4f099036d3b857c09d3ee5dc89a0b54e3a809716be0cf22100f75cf71724e0aaddf403a5cb751e1a17914c64d2423305dbcec3c606aac2f07ccfdf0ea47d988505efd666e56612729898451e682e74650fd942a2ca7e4753eba980f847f9f3114d6add5f264cb7b1e05d084197217f11706ef3dcdd64def0642fda2532a4f851dc41d3cafcfdaac10f5ddacace956ff930203010001a38201ce308201ca301d0603551d0e04160414f4b6e1201dfe29aed2e461a5b2a225b2c817356e301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f30120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070308307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c30500603551d20044930473038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300b06096086480186fd6c0701300d06092a864886f70d01010b05000382010100719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3\Blob = 030000000100000014000000e1d782a8e191beef6bca1691b5aab494a6249bf3200000000100000002050000308204fe308203e6a00302010202100d424ae0be3a88ff604021ce1400f0dd300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f060355040313284469676943657274205348413220417373757265642049442054696d657374616d70696e67204341301e170d3231303130313030303030305a170d3331303130363030303030305a3048310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3120301e0603550403131744696769436572742054696d657374616d70203230323130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2e6618467c58af50d08a445ca636b51d73a1142bd0a75754d94b40c50b52610fe1dc86f916b0c96e71a5c48ef44e5bf9b61cd1591625ab8ff670b9c63fd366a81fa29f8dd2b7085de0218f3786dbc7df9c76d093dbe6a7687e98abdf8845d1e76c9e4c676763a53d1d1d35a368fc6a3e12f1b3ab761d673ec4e6d338a7c5d452d4bb150e6413a375686dc93238df75025e864e6ddd38f2f57b58720eb0e8e2cd523daf44d7846e3038331294a5c0c318a4a8c88c5f7305af914af155f6c434909fd262353f68d63e81aab5bb11d30c29b6982b4dbfc5654bc1fa187abbe7a5b0a202f4b09c995a78db2fad6638b4ea5721cee9f7a0173f819d6fe0d4984bd010203010001a38201b8308201b4300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830410603551d20043a3038303606096086480186fd6c07013029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f435053301f0603551d23041830168014f4b6e1201dfe29aed2e461a5b2a225b2c817356e301d0603551d0e041604143644868ea4bab066bebc282d1d4436dde36a7abc30710603551d1f046a30683032a030a02e862c687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c3032a030a02e862c687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d74732e63726c30818506082b0601050507010104793077302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304f06082b060105050730028643687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572745348413241737375726564494454696d657374616d70696e6743412e637274300d06092a864886f70d01010b05000382010100481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f	certutil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3C0D087ECDCC76D1084ABE00F1FEE5040400AE37\Blob = 0300000001000000140000003c0d087ecdcc76d1084abe00f1fee5040400ae372000000001000000c6050000308205c2308204aaa00302010202100aa60783ebb5076ebc2d12da9b04c290300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3231303530353030303030305a170d3234303631303233353935395a3081d2311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c02010313025553311b3019060b2b0601040182373c020102130a43616c69666f726e6961311530130603550405130c323030303130333130303133310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130753656174746c6531193017060355040a1310496e7365637572652e436f6d204c4c433119301706035504031310496e7365637572652e436f6d204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100a6ec814ee2c7075e2e29ac7ebd10b6188055929370a213b83fb6e337d82ed0756d15e267f6bc645e6db5bb1d586ef1098ead1595147d03897af04b666aa5a50def2b3af23974896c6fb4f5246baf3ec374dbfd90eeec7575ffb11a6efea7a0d7da0adb04eaf000b1ad520d9e9529b2a8cf420998d4c7a46c1f95e405e35f69ad8c05d62df0f9745017a6284134afba26f905d900da1c412200e6ca5c6b148f3f785aa0ebe35ea9160644bd6924b54625eb404ab39db981f6b216b6dd960930a1443b26aab08cdbcf1c5fd74dbb56c3e9df791f8429401dee5869e90c39f95000fc616b5ac8396b588e24407235ea074328c608112f6cb4f07347cd4d28d28ab90203010001a38201f7308201f3301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e04160414c5b210483c7598f90d32838cd0763d3cd85fef5130350603551d11042e302ca02a06082b06010505070803a01e301c0c1a55532d43414c49464f524e49412d323030303130333130303133300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304a0603551d2004433041303606096086480186fd6c03023029302706082b06010505070201161b687474703a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008b2182887ada0e08e4afe89019ded16e88ff6ff1b12fd9b2994b945b8c76c63862ae35a1751672c474c8575a039250105e346bb7ce7ae1f2494e760de418b9453f1bbac9255b0dccafd296adb3cdb49d46d54c3413bfc34a3e640e244da7b1e1dbd1b04cea414ff64fe57f0ef28944a42e41065548e4834f2b05d4aae8516a1f154c5b09af25fe059a69a7dc75a7deb4cf3068c402614ece0509edf02b0968b5c8d1081cdafcfba3b7c1599256e6685ef7391f46746eaf829bc8fd40f55be70a3fc51142648b78a903e750158328cb80d54aaddce82df8fe983b0e36af4dafbdbdffe8896bee9a93c370e77f735fe9c42fc2259a3e5672e9f75f37ecf7104e53	certutil.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npcap\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\WlanHelper.exe	npcap-1.72.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\SETE54A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\WlanHelper.exe	npcap-1.72.exe
File created	C:\Windows\system32\NpcapHelper.exe	npcap-1.72.exe
File created	C:\Windows\system32\Npcap\NpcapHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\npcap.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\SysWOW64\NpcapHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\SETE55B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\NPCAP.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\npcap.PNF	NPFInstall.exe
File created	C:\Windows\system32\Npcap\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\Npcap\WlanHelper.exe	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\SETE55C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\SETE55C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\npcap.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}	DrvInst.exe
File created	C:\Windows\SysWOW64\Packet.dll	npcap-1.72.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	NPFInstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\NpcapHelper.exe	npcap-1.72.exe
File created	C:\Windows\SysWOW64\Npcap\WlanHelper.exe	npcap-1.72.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\SETE55B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	NPFInstall.exe
File created	C:\Windows\SysWOW64\Npcap\Packet.dll	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npcap.inf_amd64_234c5ff4bad41de2\npcap.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	NPFInstall.exe
File created	C:\Windows\system32\wpcap.dll	npcap-1.72.exe
File created	C:\Windows\system32\Packet.dll	npcap-1.72.exe
File created	C:\Windows\system32\Npcap\Packet.dll	npcap-1.72.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ef01e58-cfa7-7943-94b0-6c61c68089d3}\SETE54A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	NPFInstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Npcap\npcap.cat	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap_wfp.inf	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\LICENSE	npcap-1.72.exe
File created	C:\Program Files\Npcap\NPFInstall.exe	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\DiagReport.bat	npcap-1.72.exe
File created	C:\Program Files\Npcap\FixInstall.bat	npcap-1.72.exe
File created	C:\Program Files\Npcap\Uninstall.exe	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap.sys	npcap-1.72.exe
File created	C:\Program Files\Npcap\npcap.inf	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File opened for modification	C:\Program Files\Npcap\install.log	npcap-1.72.exe
File created	C:\Program Files\Npcap\DiagReport.ps1	npcap-1.72.exe
File opened for modification	C:\Program Files\Npcap\NPFInstall.log	NPFInstall.exe
File created	C:\Program Files\Npcap\CheckStatus.bat	npcap-1.72.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	NPFInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	NPFInstall.exe

Executes dropped EXE 4 IoCs

pid	Process
4700	NPFInstall.exe
3936	NPFInstall.exe
3580	NPFInstall.exe
4716	NPFInstall.exe

Loads dropped DLL 13 IoCs

pid	Process
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe
1996	npcap-1.72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npcap-1.72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	NPFInstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	NPFInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	NPFInstall.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4700	NPFInstall.exe
4700	NPFInstall.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	NPFInstall.exe
Token: SeAuditPrivilege	4500	svchost.exe
Token: SeSecurityPrivilege	4500	svchost.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeIncreaseQuotaPrivilege	4756	powershell.exe
Token: SeSecurityPrivilege	4756	powershell.exe
Token: SeTakeOwnershipPrivilege	4756	powershell.exe
Token: SeLoadDriverPrivilege	4756	powershell.exe
Token: SeSystemProfilePrivilege	4756	powershell.exe
Token: SeSystemtimePrivilege	4756	powershell.exe
Token: SeProfSingleProcessPrivilege	4756	powershell.exe
Token: SeIncBasePriorityPrivilege	4756	powershell.exe
Token: SeCreatePagefilePrivilege	4756	powershell.exe
Token: SeBackupPrivilege	4756	powershell.exe
Token: SeRestorePrivilege	4756	powershell.exe
Token: SeShutdownPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeSystemEnvironmentPrivilege	4756	powershell.exe
Token: SeRemoteShutdownPrivilege	4756	powershell.exe
Token: SeUndockPrivilege	4756	powershell.exe
Token: SeManageVolumePrivilege	4756	powershell.exe
Token: 33	4756	powershell.exe
Token: 34	4756	powershell.exe
Token: 35	4756	powershell.exe
Token: 36	4756	powershell.exe
Token: SeIncreaseQuotaPrivilege	4756	powershell.exe
Token: SeSecurityPrivilege	4756	powershell.exe
Token: SeTakeOwnershipPrivilege	4756	powershell.exe
Token: SeLoadDriverPrivilege	4756	powershell.exe
Token: SeSystemProfilePrivilege	4756	powershell.exe
Token: SeSystemtimePrivilege	4756	powershell.exe
Token: SeProfSingleProcessPrivilege	4756	powershell.exe
Token: SeIncBasePriorityPrivilege	4756	powershell.exe
Token: SeCreatePagefilePrivilege	4756	powershell.exe
Token: SeBackupPrivilege	4756	powershell.exe
Token: SeRestorePrivilege	4756	powershell.exe
Token: SeShutdownPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeSystemEnvironmentPrivilege	4756	powershell.exe
Token: SeRemoteShutdownPrivilege	4756	powershell.exe
Token: SeUndockPrivilege	4756	powershell.exe
Token: SeManageVolumePrivilege	4756	powershell.exe
Token: 33	4756	powershell.exe
Token: 34	4756	powershell.exe
Token: 35	4756	powershell.exe
Token: 36	4756	powershell.exe
Token: SeIncreaseQuotaPrivilege	4756	powershell.exe
Token: SeSecurityPrivilege	4756	powershell.exe
Token: SeTakeOwnershipPrivilege	4756	powershell.exe
Token: SeLoadDriverPrivilege	4756	powershell.exe
Token: SeSystemProfilePrivilege	4756	powershell.exe
Token: SeSystemtimePrivilege	4756	powershell.exe
Token: SeProfSingleProcessPrivilege	4756	powershell.exe
Token: SeIncBasePriorityPrivilege	4756	powershell.exe
Token: SeCreatePagefilePrivilege	4756	powershell.exe
Token: SeBackupPrivilege	4756	powershell.exe
Token: SeRestorePrivilege	4756	powershell.exe
Token: SeShutdownPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeSystemEnvironmentPrivilege	4756	powershell.exe
Token: SeRemoteShutdownPrivilege	4756	powershell.exe
Token: SeUndockPrivilege	4756	powershell.exe
Token: SeManageVolumePrivilege	4756	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4700	1996	npcap-1.72.exe	98
PID 1996 wrote to memory of 4700	1996	npcap-1.72.exe	98
PID 1996 wrote to memory of 4548	1996	npcap-1.72.exe	100
PID 1996 wrote to memory of 4548	1996	npcap-1.72.exe	100
PID 1996 wrote to memory of 4548	1996	npcap-1.72.exe	100
PID 1996 wrote to memory of 2456	1996	npcap-1.72.exe	102
PID 1996 wrote to memory of 2456	1996	npcap-1.72.exe	102
PID 1996 wrote to memory of 2456	1996	npcap-1.72.exe	102
PID 1996 wrote to memory of 3936	1996	npcap-1.72.exe	104
PID 1996 wrote to memory of 3936	1996	npcap-1.72.exe	104
PID 3936 wrote to memory of 2320	3936	NPFInstall.exe	106
PID 3936 wrote to memory of 2320	3936	NPFInstall.exe	106
PID 1996 wrote to memory of 3580	1996	npcap-1.72.exe	108
PID 1996 wrote to memory of 3580	1996	npcap-1.72.exe	108
PID 1996 wrote to memory of 4716	1996	npcap-1.72.exe	110
PID 1996 wrote to memory of 4716	1996	npcap-1.72.exe	110
PID 4500 wrote to memory of 3156	4500	svchost.exe	114
PID 4500 wrote to memory of 3156	4500	svchost.exe	114
PID 1996 wrote to memory of 1388	1996	npcap-1.72.exe	115
PID 1996 wrote to memory of 1388	1996	npcap-1.72.exe	115
PID 1996 wrote to memory of 1388	1996	npcap-1.72.exe	115
PID 1996 wrote to memory of 4756	1996	npcap-1.72.exe	117
PID 1996 wrote to memory of 4756	1996	npcap-1.72.exe	117
PID 1996 wrote to memory of 4756	1996	npcap-1.72.exe	117

C:\Users\Admin\AppData\Local\Temp\npcap-1.72.exe
"C:\Users\Admin\AppData\Local\Temp\npcap-1.72.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\NPFInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\NPFInstall.exe" -n -check_dll
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\SysWOW64\certutil.exe
  certutil -addstore -f "Root" "C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\roots.p7b"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  PID:4548
- C:\Windows\SysWOW64\certutil.exe
  certutil -addstore -f "TrustedPublisher" "C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\signing.p7b"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Program Files\Npcap\NPFInstall.exe
  "C:\Program Files\Npcap\NPFInstall.exe" -n -c
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SYSTEM32\pnputil.exe
    pnputil.exe -e
    3⤵
    PID:2320
- C:\Program Files\Npcap\NPFInstall.exe
  "C:\Program Files\Npcap\NPFInstall.exe" -n -iw
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:3580
- C:\Program Files\Npcap\NPFInstall.exe
  "C:\Program Files\Npcap\NPFInstall.exe" -n -i
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "Microsoft.PowerShell.Management\Start-Service -Name npcap -PassThru | Microsoft.PowerShell.Management\Stop-Service -PassThru | Microsoft.PowerShell.Management\Start-Service"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -WindowStyle Hidden -NonInteractive -Command "ScheduledTasks\Register-ScheduledTask -Force -TaskName 'npcapwatchdog' -Description 'Ensure Npcap service is configured to start at boot' -Action (ScheduledTasks\New-ScheduledTaskAction -Execute 'C:\Program Files\Npcap\CheckStatus.bat') -Principal (ScheduledTasks\New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount) -Trigger (ScheduledTasks\New-ScheduledTaskTrigger -AtStartup) -Settings (ScheduledTasks\New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Compatibility Win8)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{44c70fe3-f706-d846-a0bf-19dd30bddc3c}\NPCAP.inf" "9" "405306be3" "0000000000000148" "WinSta0\Default" "00000000000000E8" "208" "C:\Program Files\Npcap"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Npcap\npcap.cat

Filesize
12KB

MD5
3fd9a520f8b768eee9ee35eedec6bf3d

SHA1
302f9b44e602c00f309cef47e0657148b8b0a741

SHA256
612f6989db53adf27aa9e53f9c6ff7061012a529853849019f0cb6da5ab67d8e

SHA512
4ef544970857028641da7c5d59a2feb28a5eded8d3b37f6e7b43b0a036d83b27bb2d8b49f9ed9b73a89ce70f310efda2e49220306a982d8893177740d0b3d6c9

Download Submit
C:\PROGRA~1\Npcap\npcap.sys

Filesize
75KB

MD5
c41047f5dc12cb06027b8c9180ba50ec

SHA1
b3990659a5d926bebbd3677123bf5150700d521c

SHA256
34d8eb66ba1bb1bc4a0f342d6346868e1d6049d19034a4ce9c6e98f0c1ecfc99

SHA512
962e8c728f9269ddcf3547cb8d78a1d893e64e6ccc75191ca718500e1a5ae3b58530721f8703ccd6a8e0db316a09b0f99fc03ca79acd16f1082c63f46b159b3a

Download Submit
C:\Program Files\Npcap\NPCAP.inf

Filesize
8KB

MD5
04c7944e5a04629fc393cadf44293136

SHA1
6d292051319573e4315c9e2988f53501793c57dc

SHA256
6b9273ab4333e5ec67fd4ff044c43916dfc6939bfefadc911f5c5a2dfae2db65

SHA512
2070fde243093f7f2d970cf9af876fbc829e72c43c929d03db5ac617d8c2d6d007e767cbe0f56563b7acb8b507bb7cb1f6cbb85d77c3a686fc0d1cdd3bddae88

Download Submit
C:\Program Files\Npcap\NPCAP_wfp.inf

Filesize
2KB

MD5
722fc22cb6b7556bd826c80a5d593607

SHA1
0863253fa38d0a4b7379846d415a9e43a2b5396f

SHA256
a68b8379090572eb3c4d7b8f4fd00c10ce31708e32c2fb86fb6b4581b6085720

SHA512
b2fafa2c0ccc5cbb6d707077bc3d147ac3b3b7a005b68a53d0e8df1268879aa29addd8bf36f01fd30f13a76cea311b521a8e2e38101df0516bf48b799b856a55

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
8f986202b50918e6b12c928fdfc43d90

SHA1
c69ae080bfa2913044310585b3cfb00d7eabcb4f

SHA256
46593ec834bc54f21732d94a01b9cfb9c8e074bb7cea33ba4c2de630c59db90a

SHA512
a2cbdded28b4a7c2afb19bb560bd1244376c8f2a35c08aa8615923a27333fd5ea32ec8ec83466146f11def64f9e2b7e95bed12d1a00ce223a975dcbcd0dd3bfe

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
1KB

MD5
3dd6a73ab68f1e36d4932da88661caac

SHA1
2d4eaa6d20bd79bebc6e54ace58867284b3c83bc

SHA256
8b0b714f9309493115144c4f6d6eb61400818b96bbde8a61a6ddda31d67b5f6d

SHA512
07a96282ae8d710025ee393b67aabd0a6584d3738e733e840c45057b66815fb9216c87ee8952b0dafe8f6a4cb20425e6cdfa0ec4441cfbfc381f409989dcbb90

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
2KB

MD5
db8732009ef018aff95a1ceb02c99c86

SHA1
e721f54219ea80ff6265a80f20a18290935b8408

SHA256
87de5c7c711d820adda3636383d7a951f10b4fc35ffce65e113abc8180efbb1f

SHA512
d50e853efdc7736490b345c0b398c13e8987fa29b65aa9996f0cf5b5e875d0bfcb5cb05ceee52d08ebcc7e3d2f6fa2802dc32273041ccca879db40c6348df8c0

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
3KB

MD5
7b4580e960109c17d0ac11124b5ea724

SHA1
29aa657101c7ccff07df412f81e34801cadf7a78

SHA256
09e99e944d5dc263887b9de47062da51b14d19a3d565d2e1626b74df9aa5f6f0

SHA512
1e7cf3f5f173b4bec0e69782175678ce05c8099231918c263daf6bc8840ceaf4832eb65c9d027582c7c38cc9cec043ca2836f190e4fc01309d94328387e3a336

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
01d2394780b0409ee655ace49a6e431e

SHA1
b11f7a6f69bcd9578896c53942388343aa66f412

SHA256
a1a9aeff185e602318a3da1d73f22a702f5c7edf2ab6a0ccb90b7e46fea291db

SHA512
1e2cf674b7b55e790145871afaccdef9bac11cd4d635f26d4d88f9595e383ccac1dcc0cd539e87323d59b6c05a67b322bca2921bdfc1d3dcc119f5c6d9c87268

Download Submit
C:\Program Files\Npcap\NPFInstall.log

Filesize
4KB

MD5
b191ead1cbe6751e681b1d43ffc0bb6b

SHA1
5b9cdb367d9040d2dd9a436f33bc1a68c98e1d3b

SHA256
6900c5c02a19368fe75be8e03fd0840199aa6b7a4d56b4b61b1ee55387df6022

SHA512
7d8b8147516371619ac87acae2ae11fa644d55e91262e73c4e5d482fc6d2d38989da95f733392d3b4e28bd5510ea107430db3f5dd5f5e6feba1e5d020cc570af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a55cd35e67ea8119b611d76e06669abb

SHA1
0d717591492bd6177b2591b9045134ce7f98372b

SHA256
3b61631a44aa2875cb4fd8da57b883364862281a7fd13d9e56fecab2b7884692

SHA512
30fbd2da59d4a2034b01ee634023fd46d66a87c98314fc46cbb1af1815a411fd3a46bd91a958a069869fa7d043185ac30e0eb79d4594cb853469abf01557adf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofs1fozt.hlg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\InstallOptions.dll

Filesize
22KB

MD5
170c17ac80215d0a377b42557252ae10

SHA1
4cbab6cc189d02170dd3ba7c25aa492031679411

SHA256
61ea114d9d0cd1e884535095aa3527a6c28df55a4ecee733c8c398f50b84cc3d

SHA512
0fd65cad0fcaa98083c2021de3d6429e79978658809c62ae9e4ed630c016915ced36aa52f2f692986c3b600c92325e79fd6d757634e8e02d5e582ff03679163f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\NPFInstall.exe

Filesize
301KB

MD5
69a2863281739e40702e40fde07ef72d

SHA1
8cf737fb5845a45445483cb1fae533c5a61da028

SHA256
5c2e569db9c5a978004b8fbf04ed372071ad998d759a12e5aaba470df158889e

SHA512
2315a4aa52f579a3633bd9c61c293b9fa78725d8331deee6ca24db70fb2565f431fc0f7f1ee84881b2e34b778ffc91c45e1b694ae517cdd266b0875e7089f178

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\System.dll

Filesize
19KB

MD5
f020a8d9ede1fb2af3651ad6e0ac9cb1

SHA1
341f9345d669432b2a51d107cbd101e8b82e37b1

SHA256
7efe73a8d32ed1b01727ad4579e9eec49c9309f2cb7bf03c8afa80d70242d1c0

SHA512
408fa5a797d3ff4b917bb4107771687004ba507a33cb5944b1cc3155e0372cb3e04a147f73852b9134f138ff709af3b0fb493cd8fa816c59e9f3d9b5649c68c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\final.ini

Filesize
568B

MD5
cae757421db8d011e41266bfd9439885

SHA1
7108a9f0740ee4e3a118f6ac9212e0446f074181

SHA256
ff350a68202aadb145f590c8579f9284d2e3c324b0369fde39e5a3a31d7b8204

SHA512
785d19c796834065c823a7da99036378bba54b932ea1e47d4ba0c1d123a0a09ec307a3459fb862221de74ce61d9a8d7ec73901c9de007d31e7b39eb7a19b16b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\nsExec.dll

Filesize
14KB

MD5
f9e61a25016dcb49867477c1e71a704e

SHA1
c01dc1fa7475e4812d158d6c00533410c597b5d9

SHA256
274e53dc8c5ddc273a6f5683b71b882ef8917029e2eaf6c8dbee0c62d999225d

SHA512
b4a6289ef9e761e29dd5362fecb1707c97d7cb3e160f4180036a96f2f904b2c64a075b5bf0fea4a3bb94dea97f3cfa0d057d3d6865c68da65fdcb9c3070c33d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\options.ini

Filesize
2KB

MD5
924e8d57fd505728e9e4c11497169946

SHA1
ddbb7c9ca35cc7de3dddaf309a7c7e51df2f6503

SHA256
43020343ded3f552e0e1344cefc88056be15a9c153c526c48a37de85fb501dd6

SHA512
1206758ccaaa88909d76db686dd41bc0f61377d419e23b6c7f9fbe87c2484e0da679556f9e766e7dd13a2c1355b697d1b837b7c65f9ca8cb96215b3d959d6d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\roots.p7b

Filesize
1KB

MD5
397a5848d3696fc6ba0823088fea83db

SHA1
9189985f027de80d4882ab5e01604c59d6fc1f16

SHA256
ad3bca6f2b0ec032c7f1fe1adb186bd73be6a332c868bf16c9765087fff1c1ca

SHA512
66129a206990753967cd98c14a0a3e0e2a73bc4cd10cf84a5a05da7bf20719376989d64c6c7880a3e4754fc74653dd49f2ffeffd55fc4ee5966f65beb857118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg53DA.tmp\signing.p7b

Filesize
7KB

MD5
dd4bc901ef817319791337fb345932e8

SHA1
f8a3454a09d90a09273935020c1418fdb7b7eb7c

SHA256
8e681692403c0f7c0b24160f4642daa1eb080ce5ec754b6f47cc56b43e731b71

SHA512
0a67cc346f9752e1c868b7dc60b25704255ab1e6ea745850c069212f2724eba62ffaaa48309d5eba6ae0235223518610fb4b60fc422e4babba4f33d331c71db5

Download Submit
memory/1388-426-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/1388-444-0x0000000006800000-0x0000000006822000-memory.dmp

Filesize
136KB

Download
memory/1388-439-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/1388-440-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/1388-441-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download
memory/1388-442-0x0000000006830000-0x00000000068C6000-memory.dmp

Filesize
600KB

Download
memory/1388-443-0x00000000067B0000-0x00000000067CA000-memory.dmp

Filesize
104KB

Download
memory/1388-429-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/1388-445-0x0000000007980000-0x0000000007F24000-memory.dmp

Filesize
5.6MB

Download
memory/1388-428-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/1388-425-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/1388-427-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/4756-464-0x0000000006F40000-0x0000000006F72000-memory.dmp

Filesize
200KB

Download
memory/4756-462-0x00000000056F0000-0x0000000005A44000-memory.dmp

Filesize
3.3MB

Download